Re: Using Object-Groups in a static

sgrizzle · ‎10-08-2003

I need to ping a set of remote hosts to determine connectivity. I want to use object-groups to limit the number of commands used. I have the ICMP group set for echo-reply, source-quench, unreachable, and time-exceeded. I also have a network object group set up for the 5 remote hosts to be pinged. However, I am having trouble incorporating these object-groups into the static and Access-list commands in any way that allows the ping set back in the PIX. What could be going wrong?

nkhawaja · ‎10-09-2003

Hi,

Can you please show what and how object groups are you using. You can't include object groups in static.

You can only do it in access-lists. What is the trouble you are having? What IOS code is it?

Thanks

Nadeem

sgrizzle · ‎10-10-2003

I'm just not getting the replies, and the network is up. (By the way, would it complicate matters if this was through a VPN tunnel? It is. However, my users are getting their traffic through the tunnel and I can see that it is up and running.)

Yes, I have been finding this out about the static command the hard way. But, I thought (and was taught) that you could substitute object-groups anywhere that the individual service, protocol, or network address could go?

The IP addresses have been changed for security reasons (and are random out of my head.)

What you see below are some command sets that I have tried at various times.

**********************************************

Static (inside,outside) interface 192.16.1.5 netmask 255.255.255.0 0 0

object-group icmp-type echo

icmp-object echo-reply

icmp-object source-quench

icmp-object unreachable

icmp-object time-exceeded

object-group network ping

network-object server 255.255.255.255

network-object 172.168.1.2 255.255.255.255

network-object 172.168.3.2 255.255.255.255

access-list 101 permit icmp object-group ping any

access-list 102 permit icmp object-group ping interface outside object-group echo

*******************************

Thanks for your assistance in advance!

nkhawaja · ‎10-10-2003

You meant to have something like this

Static (inside,outside) interface 192.16.1.5 netmask 255.255.255.0 0 0

object-group icmp-type icmp-allowed

icmp-object echo-reply

icmp-object source-quench

icmp-object unreachable

icmp-object time-exceeded

object-group network mydestination

network-object server 255.255.255.255

network-object 172.168.1.2 255.255.255.255

network-object 172.168.3.2 255.255.255.255

access-list 101 permit icmp object-group mydestination any icmp-allowed

access-group 101 in interface outside

Thanks

Nadeem

wsitu · ‎10-10-2003

I am trying to learn object grouping, too. shouldn't the acl be

access-list 101 permit icmp object-group mydestination any object-group icmp-allowed

nkhawaja · ‎10-10-2003

Hi,

Yes, you are right, sorry I missed the syntax in the access-list

Thanks

Nadeem

sgrizzle · ‎10-11-2003

So it looks as though the access-list statement is where I am in error. Please tell me if I am reading this correctly..."access-list 101 permit icmp object-group mydestination any object-group icmp-allowed" translates to "permit icmp from mydestination to icmp-allowed", correct? What is the 'any' in there do? It looks out of place to me, since I have the source and destination in there already. Also, why can't I use Object-grouping in the Static command for network and protocols?

Thanks in advance,

Steve

nkhawaja · ‎10-11-2003

Hi,

icmp-allowed is the type of icmp to be allowed, e.g. echo-reply etc.

NO, it doesnot translate to this. It translates to

"permit icmp from mydestination to *ANY* but only these icmp-types are allowd."

I dont have answer for why can't we use object-grouping in static. My best guess is that, usually statics are based on IPs to IPs, with some continutity in the IP addresses. so that it can be summarized. If you make Object Group for static you may put discontiguous IP addresses in it. etc.